Good morning!
Your organization’s next cybersecurity nightmare may come from scammers masquerading as HR. According to security software company KnowBe4’s second-quarter 2023 global phishing report, half of the top phishing tests employees clicked featured HR-related subject lines.
Per the study, fake HR email subjects included information related to vacation (19% of all successful phishing email tests), dress code policies (11%), requests for W-4 updates (11%), and training deadlines (9%). Non-HR-related email scams that received high clicks cited potential typos, Adobe "requests" to sign off on performance reviews, and fake Google notifications about mentions in a shared document.
“We saw a huge uptick in the HR emails getting used,” says James McQuiggan, a security awareness advocate at KnowBe4. “Anything that's authoritative, anything that drives that emotion with users, [employees will] be real gung ho trying to find out what's going on."
Phishing scams create a sense of urgency for the victim, prompting them to click the bait without caution. Although many employees have learned to catch more obvious scams, like fake invoices or requests from an attacker impersonating the CEO, it's easier to let one’s guard down when the email subject concerns payroll or vacation policy changes.
“Creating that sense of urgency is really part of the toolkit that an attacker would use, and if you're like me or other employees, you'd be concerned if you had an email from HR in general,” says Deron Grzetich, national cyber leader at West Monroe, a digital services firm headquartered in Chicago.
Employers and HR teams can practice three actions to prevent phishing scams.
1. Invest in security tools like two-factor authentication or email filtering software to help prevent phishing scams from landing in inboxes.
2. Make employees aware of cyber risks and how to report them. Establish communication best practices with employees.
3. Announce policy changes or updates in another forum besides email, such as a Slack channel or internal portal to update staff or tasking managers with sharing new HR guidelines.
CHROs should also provide employees with step-by-step instructions for accessing such information internally without clicking on a URL in an email. “Communication is key when you're making changes like that. If there are other out-of-band communication methods that you can do with your users, then that goes a long way as well, rather than just relying on [saying], ‘Hey, there's this email coming,’” says McQuiggan.
Think of it as operating like a bank would with client communications, Grzetich says. “My bank wouldn't give me an emailed link to click on. They would tell me to go to the bank website and log in. HR could do that as well."
Paige McGlauflin
paige.mcglauflin@fortune.com
@paidion